Sony Picture's Russian site was hacked this weekend, shortly after its American counterpart was compromised, exposing over 1 million users.

The attacker was a familiar face, of late -- LulzSec. (Source: LulzSec)

LulzSec decided to publish a small number of user accounts following the breach -- many of which belonged, reportedly, to elderly users. Some of these users have since been victimized. Where's the "lulz" in that? (Source: AP Photo)

There's no real winners with the latest Sony hack

Sometimes
there's just a story that's just plain sad all around. This is arguably
the case with the latest hack of Sony Corp (6758),
in which the company saw the compromise of another 1 million user records and hackers
published private information on elderly users.

I. An Unsympathetic Cast

On the one side you have Sony -- a Japanese corporate giant. The company
has long reveled in its dominant position and hasn't been afraid to flex its
muscle over users. Back in 2005, the company installed
root kits on users' computers via music CDs. The botched
copy protection effort allowed malicious hackers to infect unwitting users'
machines.

Likewise, Sony initially promoted Linux for the PlayStation 3, only to reverse
position and turn its back on Linux PS3 users. It could have merely cut
support, but instead it actively
tried to lock users with internet-connected consoles out of
Linux, citing supposed "security concerns". And when hardware
hacker George "GeoHot" Hotz posted information to restore support (via
jailbreaking the console) Sony harassed him in U.S. court, abusing questionable
judicial decision to invade the young man's privacy.

As unsympathetic a character as Sony is, on the other hand you have an equally
flagrant party opposing it. Much as Sony has abused its corporate power
over users, hackers -- most notably Lebanese-based Idahc (Twitter)
and the international group "LulzSec" (Lulz Security)
-- have lorded their superior security skills over the clueless giant,
constantly mocking and lashing it.

Caught in the midst of this battle are the company's millions of users, who are
having their private information exposed. Hackers gleefully have posted
torrents of users passwords, addresses, birthdays, and more online.

While it's possible that the lax security at Sony could have allowed some
malicious users to access this information in the first place, the hackers have
taken all the difficulty out of it. Now your every day clueless criminal
can enjoy the same level of access as a sophisticated cyberthief. Thus the
risks have greatly raised for anyone who gave information to Sony.

II. Attacking the Elderly

LulzSec, who recently lashed out at veteran hacker publication2600 and
"th3j35t3r" -- a prominent anti-terrorist hacktivist -- yet again
humiliated Sony's incompetent cyber security efforts this weekend. This
time the group hacked Sony Pictures servers, gaining access to (allegedly) over 1
million user records in a database that had been used to store entrants in a
promotional contest.

The group didn't have to try that hard at this one. Where as they had to
slave over kernel vulnerabilities in their recent pro-Wikileaks attack on
news organization PBS, they were able to exploit Sony with an SQL
injection attack -- a method that takes advantage of sloppy coding in handling
URL requests to your databases. Yes, this is the same "Little
Bobby Tables" attack as XKCD famously
nicknamed it, which was use to exploit various Sony databases several times
over the last few months [1] [2] [3].

The Sony Pictures Russian website was also hacked [Pastebin] over the weekend, though it is unknown how many admin and public accounts were
compromised. LulzSec joked in its post accompanying this intrusion:

In Soviet Russia, SQL injects you...

The group says they were not responsible for directly attacking the Russian site, indicating other parties were to blame.

In
questionable judgment, the group reportedly decided to publish excerpts of the user record set from the Sony Pictures breach, including elderly users (aged 60 and older) who were featured at the start of the file.
They posted the information in a torrent that included names, home
addresses, passwords, and e-mail addresses.

Password reuse is rife among even moderately internet-savvy young people today
and among the majority of elderly users it's virtually a given. Thus it
is not surprising that there have been reports of malicious users hacking
users' other web accounts, committing malicious and possibly financially
damaging mischief.

LulzSec remains unsympathetic for these attacks on the elderly, stating via Twitter:

I hear there's been some funny scamming with
jacked Sony accounts. That's what you get for using the same password
everywhere. Hey innocent people whose data we leaked: blame @Sony.

The data
appears to be authentic -- the Associated Press has confirmed multiple users/addresses to be
real. Some account information appears to be faked -- likely by users who
didn't wish to enter their real data for the contest.

III. What Can be Done Here?

These hacks should be a wake up call for Sony. The company is used to
being the bully. Now it's getting bullied. With nearly 105 million
user records lost [1][2], the company should give a long hard thought
to changing its corporate culture. A small dose of humble can go a long
way.

At this point Sony also needs to make some major adjustments to its security
staff. It needs to implement rigorous competence testing to identify who
has necessary skills to work in such a high-pressure position and who doesn't.
Incompetent and/or unproductive employees must be let go.

Likewise Sony needs a major change in its security management. Managers
are responsible for their employees’ failings, so if their staff gets cut, they
should as well. Sony needs to bring in talent from outside -- either
experienced hires or contracted help. But it must improve its staff,
which -- as a whole -- has unquestionably proven its incompetence.

Likewise Sony needs to swallow its pride and take down all databases off its
web servers that it hasn't carefully secured. It needs to switch from
defense action to a more proactive approach. It should consider any
database not yet attacked a probable target. Likewise it needs to take
down any poorly secured pages and repost only after rigorous penetration
testing to ensure there are no gaping holes.

As for LulzSec the group joked:

We could just DDoS every Jihad website Jester
takes down for 30 minutes at a time, but then the poor schizo bastard would
have nothing left.

Well if
they can do that, why don't they? There are plenty of
groups that deserve to be taken offline and deserve a whole boatload (LulzSec
pun intended) of "Wild West" style web justice handed to them,
including:

Sony is no role model as far as customer treatment goes, but it's hard to argue
that it's a greater villain that an al-Qaida suicide attacker or a child
molester.

Griefing can seem enjoyable when its target is someone unpopular -- much like
bullying. But ultimately acting as a griefer (which arguably can be
said of LulzSec) is a self-destructive choice.

We doubt this is the last hack of Sony given their atrocious track record and
the fact that the hacker sharks have smelled the lustful aroma of blood in the
water.

But before hackers continue to whale on the hapless Sony, perhaps they should
watch the movie Gran Torino. Walt could have easily have brought
his gun and shot those local gang members when he confronted then. But
would his fictitious stand have a fraction of the meaning or power, had he sunk
to their level?

Update: Monday June 6, 2011, 7:05 p.m.

The article was initially worded in a way that implied that the archive solely included records of the elderly. We've since obtained the archive and verified that it has multiple records -- including those of both elderly users and younger users. Multiple news sources initially indicated that the record solely targeted the elderly.

This appears to be based upon the start of the record set being comprised of users born in the 1920s (81 or older), 1930s (71 or older), and 1940s (61 or older).

We've update the text to reflect this clarification.

"It looks like the iPhone 4 might be their Vista, and I'm okay with that." -- Microsoft COO Kevin Turner